We are in the beginning stages of integrating a new company we purchased. I want to add their AD into our FIM implementation and am trying to decide the best way to do this.
We will have a single, consolidated HR source.
We have a single AD forest; they have three (3).
Most users will have a single ID, in one of the four (4) forests, but there will be some users with an ID in more than one.
Initially, at least, I will only be doing IAF from their forests, but might later do EAF. Doing provisioning is also possible, further down the road.
My primary question is: should I use the default 'person' MV object for everyone or should I clone the 'person' object, creating a new one for users in their forest(s)? If the latter, do I create a 'person' object per forest?
Eventually, we will be doing an AD consolidation into a single forest, in case that makes a difference.
I don't see a strong argument either way - you could map multiple accounts to a single MV object, or you could have multiple objectTypes in the MV (mapped to the FIM person object if you want them to access the portal).
If you go with multiple objectTypes in the MV you will have to think about migration in the future when you consolidate, but I can't see that would be insurmountable.
I guess it's your personal preference. I know people who get very heated about schemas, but I'm not one of them - whatever works for you :)
I would prefer the simplest way, use one object 'person', schema and mapping will beeasier to maintain!
For user with multiple account in different domain, you will need to choose witch account will access to the FIM Portal (to fill AccountName, Domain and ObjectSid attributes in FIM) or create a 'duplicate' object
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.